SQL injection attacks are evolving as the prime mode of transportation for malicious scripts that hackers wish to insert into legitimate web-sites. Typically the web-site is a vehicle for distributing Trojans through scripts crafted to exploit certain vulnerabilities on visiting PCs.

These scripts are often designed to exploit vulnerabilities that the vendor usually has a patch available for; however, if you look at it from a statistical perspective, there will be a certain percentage of users who have not patched their systems against these vulnerabilities. In addition some of these attacks have used 0-day vulnerabilities to spread malware to unsuspecting users as in the case with the recent Adobe Flash vulnerability.

In most cases the Java script code being used to execute the vulnerability is obfuscated and very difficult to perform an analysis on, thus, the real intention behind the script (exploitation of vulnerabilities) can’t be seen by the naked eye. It takes clever decoding techniques to reveal the presence of actual exploit code.

The result is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded Java script.

However; the average rate of infection amongst protected networks is anywhere from 70% to 75% according to research conducted by PandaLabs on over 1200 networks across the globe. This obviously raises questions concerning the level and quality of protection companies have running on their PCs.

However; little is known about the true intentions or motivations behind these mass hacking campaigns. From our perspective it’s purely business and with a profit driven approach hackers will do pretty much anything to make a buck.

So exactly how do hackers gain access to web-sites without administrative privileges or by exploiting site specific vulnerabilities? Good question! It’s quite obvious that hackers are doing this through automation as it’s impossible to hack these sites manually. Some recent hacking campaigns have shown numbers in the range of 250,000 to 500,000 sites generically compromised almost overnight. What is not entirely clear is how they are gaining access to these sites at such a high rate without really customizing the attack on a site-by-site basis.

One theory is tools that incorporate the Google API framework to automate the tasks of discovering and validating if a site may be vulnerable to a SQL injection attack; a process that normally would require a visual inspection. An example of a query string that could be used is: intitle:”<iframe src=http”. This tool would also have the capability of constructing a specific injection routine to be performed against discovered targets. Certainly there are tools out there capable of conducting automated blind SQL Injection attacks including the discovery of vulnerable targets.

Over a five month period, Panda Security conducted several audits with a large state agency in the United States to assess the level of risk pertaining to hidden and undetected infection points. Due to the confidential nature of this customer, we cannot disclose the agency name. The information learned from this case is a great demonstration of how even the “well-protected” networks require more effective tools to fend off the latest generation of malware.

This agency by nature is obligated to enforce rigorous security policies to protect against unauthorized activity, especially when they are responsible for securing a large network of sensitive information. Some of the restrictions the agency enforces on its users include:

– Users have limited rights to the network

– Users can’t modify anything within the system directory

– Users must access the Internet through a secured proxy.

In such a secure environment, it should be extremely difficult for malware to cause any harm to the network. Unfortunately, even with these strict access rules, Panda Security found various dangerous intrusions in the agency’s network caused by malware.

The following case study covers an audit spanning more then 4,500 PCs with active, up-to-date anti-malware software from a leading vendor. These PCs were analyzed against a set criteria consisting of hidden active or latent malware along with their associated vulnerabilities.